Example 1 with LdapAuthenticationException
use of org.apache.directory.api.ldap.model.exception.LdapAuthenticationException in project aws-iam-ldap-bridge by denismo.
the class AWSIAMAuthenticator method authenticate.
@Override
public LdapPrincipal authenticate(BindOperationContext bindContext) throws Exception {
if (!isAWSAccount(bindContext) || disabled) {
LOG.debug("Skipping " + bindContext.getDn() + " - not an AWS account");
if (delegatedAuth == null) {
LOG.error("Delegated auth is null");
return null;
}
return delegatedAuth.authenticate(bindContext);
}
LOG.debug("Authenticating " + bindContext.getDn());
byte[] password = bindContext.getCredentials();
LookupOperationContext lookupContext = new LookupOperationContext(getDirectoryService().getAdminSession(), bindContext.getDn(), SchemaConstants.ALL_USER_ATTRIBUTES, SchemaConstants.ALL_OPERATIONAL_ATTRIBUTES);
Entry userEntry = getDirectoryService().getPartitionNexus().lookup(lookupContext);
if (validator.verifyIAMPassword(userEntry, new String(password))) {
LdapPrincipal principal = new LdapPrincipal(getDirectoryService().getSchemaManager(), bindContext.getDn(), AuthenticationLevel.SIMPLE, password);
IoSession session = bindContext.getIoSession();
if (session != null) {
SocketAddress clientAddress = session.getRemoteAddress();
principal.setClientAddress(clientAddress);
SocketAddress serverAddress = session.getServiceAddress();
principal.setServerAddress(serverAddress);
}
bindContext.setEntry(new ClonedServerEntry(userEntry));
return principal;
} else {
// Bad password ...
String message = I18n.err(I18n.ERR_230, bindContext.getDn().getName());
LOG.info(message);
throw new LdapAuthenticationException(message);
}
}
Also used :
Entry(org.apache.directory.api.ldap.model.entry.Entry)
ClonedServerEntry(org.apache.directory.server.core.api.entry.ClonedServerEntry)
LdapPrincipal(org.apache.directory.server.core.api.LdapPrincipal)
LdapAuthenticationException(org.apache.directory.api.ldap.model.exception.LdapAuthenticationException)
LookupOperationContext(org.apache.directory.server.core.api.interceptor.context.LookupOperationContext)
SocketAddress(java.net.SocketAddress)
ClonedServerEntry(org.apache.directory.server.core.api.entry.ClonedServerEntry)
IoSession(org.apache.mina.core.session.IoSession)
Example 2 with LdapAuthenticationException
use of org.apache.directory.api.ldap.model.exception.LdapAuthenticationException in project jackrabbit-oak by apache.
the class LdapIdentityProvider method authenticate.
@Override
public ExternalUser authenticate(@Nonnull Credentials credentials) throws ExternalIdentityException, LoginException {
if (!(credentials instanceof SimpleCredentials)) {
log.debug("LDAP IDP can only authenticate SimpleCredentials.");
return null;
}
final SimpleCredentials creds = (SimpleCredentials) credentials;
final ExternalUser user = getUser(creds.getUserID());
if (user != null) {
// see http://tools.ietf.org/html/rfc4513#section-5.1.1 for details.
if (creds.getPassword().length == 0) {
throw new LoginException("Refusing to authenticate against LDAP server: Empty passwords not allowed.");
}
// authenticate
LdapConnection connection = null;
try {
DebugTimer timer = new DebugTimer();
if (userPool == null) {
connection = userConnectionFactory.makeObject();
} else {
connection = userPool.getConnection();
}
timer.mark("connect");
connection.bind(user.getExternalId().getId(), new String(creds.getPassword()));
timer.mark("bind");
if (log.isDebugEnabled()) {
log.debug("authenticate({}) {}", user.getId(), timer.getString());
}
} catch (LdapAuthenticationException e) {
throw new LoginException("Unable to authenticate against LDAP server: " + e.getMessage());
} catch (Exception e) {
throw new ExternalIdentityException("Error while binding user credentials", e);
} finally {
if (connection != null) {
try {
if (userPool == null) {
userConnectionFactory.destroyObject(connection);
} else {
userPool.releaseConnection(connection);
}
} catch (Exception e) {
// ignore
}
}
}
}
return user;
}
Also used :
DebugTimer(org.apache.jackrabbit.oak.commons.DebugTimer)
SimpleCredentials(javax.jcr.SimpleCredentials)
LdapAuthenticationException(org.apache.directory.api.ldap.model.exception.LdapAuthenticationException)
ExternalUser(org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalUser)
LoginException(javax.security.auth.login.LoginException)
ExternalIdentityException(org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalIdentityException)
LoginException(javax.security.auth.login.LoginException)
LdapInvalidAttributeValueException(org.apache.directory.api.ldap.model.exception.LdapInvalidAttributeValueException)
LdapAuthenticationException(org.apache.directory.api.ldap.model.exception.LdapAuthenticationException)
NoSuchAlgorithmException(java.security.NoSuchAlgorithmException)
CursorException(org.apache.directory.api.ldap.model.cursor.CursorException)
NoSuchElementException(java.util.NoSuchElementException)
IOException(java.io.IOException)
ExternalIdentityException(org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalIdentityException)
LdapException(org.apache.directory.api.ldap.model.exception.LdapException)
LdapConnection(org.apache.directory.ldap.client.api.LdapConnection)
Example 3 with LdapAuthenticationException
use of org.apache.directory.api.ldap.model.exception.LdapAuthenticationException in project aws-iam-ldap-bridge by denismo.
the class IAMSecretKeyValidator method verifyIAMPassword.
@Override
public boolean verifyIAMPassword(Entry user, String pw) throws LdapInvalidAttributeValueException, LdapAuthenticationException {
boolean role = false;
AWSCredentials creds;
if (isRole(user)) {
role = true;
String[] parts = pw.split("\\|");
if (parts == null || parts.length < 3)
throw new LdapAuthenticationException();
creds = new BasicSessionCredentials(parts[0], parts[1], parts[2]);
} else {
creds = new BasicAWSCredentials(user.get("accessKey").getString(), pw);
}
LOG.debug("Verifying {} {} with accessKey <hidden> and secretKey <hidden>", role ? "role" : "user", user.get("uid").getString());
AmazonIdentityManagementClient client = new AmazonIdentityManagementClient(creds);
try {
client.getAccountSummary();
} catch (AmazonClientException e) {
System.err.println(e.getMessage());
return false;
} finally {
client.shutdown();
}
return true;
}
Also used :
AmazonIdentityManagementClient(com.amazonaws.services.identitymanagement.AmazonIdentityManagementClient)
LdapAuthenticationException(org.apache.directory.api.ldap.model.exception.LdapAuthenticationException)
BasicSessionCredentials(com.amazonaws.auth.BasicSessionCredentials)
AmazonClientException(com.amazonaws.AmazonClientException)
BasicAWSCredentials(com.amazonaws.auth.BasicAWSCredentials)
AWSCredentials(com.amazonaws.auth.AWSCredentials)
BasicAWSCredentials(com.amazonaws.auth.BasicAWSCredentials)
Aggregations
LdapAuthenticationException (org.apache.directory.api.ldap.model.exception.LdapAuthenticationException)3
AmazonClientException (com.amazonaws.AmazonClientException)1
AWSCredentials (com.amazonaws.auth.AWSCredentials)1
BasicAWSCredentials (com.amazonaws.auth.BasicAWSCredentials)1
BasicSessionCredentials (com.amazonaws.auth.BasicSessionCredentials)1
AmazonIdentityManagementClient (com.amazonaws.services.identitymanagement.AmazonIdentityManagementClient)1
IOException (java.io.IOException)1
SocketAddress (java.net.SocketAddress)1
NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)1
NoSuchElementException (java.util.NoSuchElementException)1
SimpleCredentials (javax.jcr.SimpleCredentials)1
LoginException (javax.security.auth.login.LoginException)1
CursorException (org.apache.directory.api.ldap.model.cursor.CursorException)1
Entry (org.apache.directory.api.ldap.model.entry.Entry)1
LdapException (org.apache.directory.api.ldap.model.exception.LdapException)1
LdapInvalidAttributeValueException (org.apache.directory.api.ldap.model.exception.LdapInvalidAttributeValueException)1
LdapConnection (org.apache.directory.ldap.client.api.LdapConnection)1
LdapPrincipal (org.apache.directory.server.core.api.LdapPrincipal)1
ClonedServerEntry (org.apache.directory.server.core.api.entry.ClonedServerEntry)1
LookupOperationContext (org.apache.directory.server.core.api.interceptor.context.LookupOperationContext)1
